Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Similar documents
Some techniques and results in deciding bisimilarity

Simulation Preorder on Simple Process Algebras

The State Explosion Problem

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Recent results on Timed Systems

Finite-State Model Checking

Models for Efficient Timed Verification

Undecidability of Weak Bisimulation Equivalence in Unary One-Counter Petri Nets

Model Checking: An Introduction

Abstractions and Decision Procedures for Effective Software Model Checking

Sanjit A. Seshia EECS, UC Berkeley

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

A Brief Introduction to Model Checking

Lecture 2: Symbolic Model Checking With SAT

3-Valued Abstraction-Refinement

Undecidability Results for Bisimilarity on Prefix Rewrite Systems

Automatic Synthesis of Distributed Protocols

New Complexity Results for Some Linear Counting Problems Using Minimal Solutions to Linear Diophantine Equations

Chapter 4: Computation tree logic

Integer Linear Programming Based Property Checking for Asynchronous Reactive Systems

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Timo Latvala. March 7, 2004

Petri Nets (for Planners)

Theoretical Foundations of the UML

Temporal Logic Model Checking

Techniques to solve computationally hard problems in automata theory

Reasoning about Strategies: From module checking to strategy logic

arxiv: v2 [cs.fl] 3 Dec 2012

Timed Automata. Semantics, Algorithms and Tools. Zhou Huaiyang

Approximation Metrics for Discrete and Continuous Systems

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

SIMULATION PROBLEMS OVER ONE-COUNTER NETS

Alan Bundy. Automated Reasoning LTL Model Checking

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

TUM{INFO{10-I /1.{FI Alle Rechte vorbehalten Nachdruck auch auszugsweise verboten c1998 SFB 342 Methoden und Werkzeuge fur die Nutzung parallele

Flat counter automata almost everywhere!

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Languages, regular languages, finite automata

MODEL CHECKING. Arie Gurfinkel

Automata-Theoretic Model Checking of Reactive Systems

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Robot Games of Degree Two

Model Checking. Boris Feigin March 9, University College London

DP lower bounds for equivalence-checking and model-checking of one-counter automata

DES. 4. Petri Nets. Introduction. Different Classes of Petri Net. Petri net properties. Analysis of Petri net models

Reachability Analysis of Pushdown Automata with an Upper Stack

POLYNOMIAL SPACE QSAT. Games. Polynomial space cont d

Parameterized model-checking problems

On the coinductive nature of centralizers

From Liveness to Promptness

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Learning to Verify Branching Time Properties

A Logical Viewpoint on Process-Algebraic Quotients

A Survey of Partial-Observation Stochastic Parity Games

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Synthesis of Winning Strategies for Interaction under Partial Information

Computation Tree Logic

Lecture 7 Synthesis of Reactive Control Protocols

Chapter 5: Linear Temporal Logic

Communication in Petri nets

Computer Aided Verification

Weak Bisimilarity with Infinite-State Systems can be Decided in Polynomial Time

Models of Concurrency

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Overview. overview / 357

A Game-Theoretic Approach to Simulation of Data-Parameterized Systems

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Symbolic Data Structure for sets of k-uples of integers

Formal Verification of Mobile Network Protocols

Concurrency Makes Simple Theories Hard

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Software Verification

The algorithmic analysis of hybrid system

Simulation and Bisimulation over Multiple Time Scales in a Behavioral Setting

Some Remarks on Alternating Temporal Epistemic Logic

A Unifying Approach to Decide Relations for Timed Automata and their Game Characterization

ESE601: Hybrid Systems. Introduction to verification

Lecture 11: Timed Automata

Model Theory of Modal Logic Lecture 4. Valentin Goranko Technical University of Denmark

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Computer-Aided Program Design

Liveness in L/U-Parametric Timed Automata

Communication and Concurrency: CCS. R. Milner, A Calculus of Communicating Systems, 1980

Robust Controller Synthesis in Timed Automata

Linear Temporal Logic and Büchi Automata

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Real-Time Systems. Lecture 10: Timed Automata Dr. Bernd Westphal. Albert-Ludwigs-Universität Freiburg, Germany main

Limiting Behavior of Markov Chains with Eager Attractors

Automata-theoretic Decision of Timed Games

Trace Refinement of π-calculus Processes

On Model Checking for Visibly Pushdown Automata

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

Model checking the basic modalities of CTL with Description Logic

The Downward-Closure of Petri Net Languages

Petri nets. s 1 s 2. s 3 s 4. directed arcs.

Motivation. CS389L: Automated Logical Reasoning. Lecture 10: Overview of First-Order Theories. Signature and Axioms of First-Order Theory

Transcription:

Semantic Equivalences and the Verification of Infinite-State Systems Richard Mayr Department of Computer Science Albert-Ludwigs-University Freiburg Germany Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Formal Verification Proving the correctness of a given hardware- or software system w.r.t. specification, or finding the errors in it. a given Specification can be described by Specification languages Temporal logic formulae Abstract prototype systems The goal: If the system is correct, then prove it (automatically or semi-automatically). If the system is not correct then explain why. Ideally by a short counterexample. Verification of Infinite-State Systems 2 c 2004 Richard Mayr

Verification Methods Semiautomatic methods Manual or semiautomatic abstraction techniques. Reduction to problems which automatic methods can handle. Theorem provers (e.g., Isabelle, PVS). Automatic methods Reachability analysis Temporal logics and model checking (e.g., SPIN, SMV). Semantic equivalence checking Semantic preorder checking (i.e., A B, B implements A). Simulation preorder Trace preorder Verification of Infinite-State Systems 3 c 2004 Richard Mayr

Formal Verification Methods Finite-state systems: Theory relatively well understood. Problems with handling very large state spaces. Techniques used: BDDs minimization (preserving interesting properties) symmetry reduction PO-reduction search heuristics Many software systems are infinite-state. How to handle them? Verification of Infinite-State Systems 4 c 2004 Richard Mayr

What makes systems infinite? Unbounded recursion: Abstract models: pushdown automata, context-free processes Process creation and concurrency: Abstract models: Petri nets, Basic Parallel Processes, PA-processes Counters: Abstract models: counter machines (reversal-bounded, flat, 1-counter) Buffers: Abstract models: FIFO-channel systems, Lossy FIFO-channel systems Real time: Abstract models: Timed automata. Unbounded data structures: Abstract models: Extended automata Verification of Infinite-State Systems 5 c 2004 Richard Mayr

Model Checking and Related Methods Reachability analysis: Symbolic representations of (infinite) sets of states. Algorithms for computing Pre (set of predecessors) of a given set of states Post (set of successors) of a given set of states = Useful for checking safety-properties. Model checking with branching-time temporal logics: EF, EG, CTL, CTL, modal µ-calculus. Model checking with linear-time temporal logics: LTL, linear-time µ-calculus. Semantic equivalence/preorder checking of abstract specification and more refined model. E.g., simulation, bisimulation. Verification of Infinite-State Systems 6 c 2004 Richard Mayr

Highlights of my own work Process Rewrite Systems [Mayr, 1997]. A unified formalism for describing many classes of systems by term rewriting. Strictly more general than Petri nets and pushdown automata. Decidable reachability problem. Temporal logic EF Decidability of model checking for process classes PA and PAD [Mayr, 1997,1998]. Construction of characteristic EF-formulae for finite-state systems w.r.t. strong and weak bisimulation [Jančar, Kučera, Mayr, 1998]. Undecidability of boundedness for lossy counter machines [Mayr, 2000]. Very general undecidability result with consequences for lossy FIFO-channel systems, transfer Petri nets, parameterized systems, etc. Verification of Infinite-State Systems 7 c 2004 Richard Mayr

More Highlights Undecidability of weak bisimulation equivalence for 1-counter processes [Mayr, 2003]. Weak bisimilarity undecidable for Petri nets with just 1 unbounded place. Thus undecidable for almost all classes of infinite-state systems. Polynomial time algorithm for checking strong/weak bisimulation equivalence between context-free processes and finite-state systems [Kučera, Mayr, 1999]. Works by construction of the bisimulation-base, a compact representation of the whole infinite equivalence relation. Why simulation is harder than bisimulation [Kučera, Mayr, 2002]. Applied verification: A scalable automatic method for analyzing buffer overflow conditions in UML RT and Promela models. IBOC-tool. Verification of Infinite-State Systems 8 c 2004 Richard Mayr

Semantic Equivalences Consider systems/states as equivalent if they have the same behavior/properties. What is the same behavior? Notions of semantic equivalence. Does implementation A really implement specification B? Notions of semantic preorder. Central notions: Simulation and Bisimulation Definition Game theoretic characterization Logical characterization Verification of Infinite-State Systems 9 c 2004 Richard Mayr

General Model Labeled transition graph: (V, a, Act) V Act a V Act V Set of vertices. (Vertices interpreted as states.) Set of atomic actions. Directed edges, labeled with atomic actions. Consider semantic equivalences R V V in a single transition graph. States of different graphs can be compared by putting the graphs side-by-side and considering them as a single graph. Verification of Infinite-State Systems 10 c 2004 Richard Mayr

Semantic Equivalences: Definition Simulation: A relation R V V is a simulation if whenever (X, Y ) R then for each a Act: X with X a X Y with Y a Y and (X, Y ) R. Simulation preorder is the largest simulation relation, denoted by. Simulation equivalence is defined as Bisimulation: A relation R is a bisimulation iff it is a symmetric simulation. The largest bisimulation is an equivalence, denoted by. Verification of Infinite-State Systems 11 c 2004 Richard Mayr

Simulation Games Simulation game between two players: Attacker and Defender. Initial configuration: Pair of states (X, Y ). Attacker wants to show X Y. Defender wants to show X Y. In every round of the game: Attacker makes a move on the left side, e.g., X a X. Defender must respond by a move on the right side with the same action, e.g., Y a Y. The new configuration is (X, Y ). Next round. If one player cannot move then the other player wins. The defender wins every infinite game. Theorem: X Y iff the defender has a winning strategy. Verification of Infinite-State Systems 12 c 2004 Richard Mayr

Bisimulation Games Bisimulation game between two players: Attacker and Defender. Initial configuration (X, Y ). Attacker wants to show X Y. Defender wants to show X Y. In every round of the game: Attacker chooses a side (either X or Y ) and makes a move (e.g., X a X or Y a Y ). Defender must respond by a move on the other side with the same action (e.g., Y a Y or X a X ). The new configuration is (X, Y ). If one player cannot move then the other player wins. The defender wins every infinite game. Theorem: X Y iff the defender has a winning strategy. Verification of Infinite-State Systems 13 c 2004 Richard Mayr

Differences between Simulation and Bisimulation X Y a a a a b c b c b c X Y, but X Y. Verification of Infinite-State Systems 14 c 2004 Richard Mayr

Weak Simulation and Weak Bisimulation Need to abstract from internal actions in system models. E.g., prove the semantic equivalence of a more detailed implementation and an abstract specification. Weak simulation and weak bisimulation abstract from internal τ-actions. Defined with long moves τ a, τ instead of the normal internal actions before and after every visible action. a. Arbitrarily many On finite-state systems weak equivalences/preorders can be reduced to strong ones by computing the transitive closure w.r.t. τ-actions. On infinite-state systems this is not effectively possible in general. Verification of Infinite-State Systems 15 c 2004 Richard Mayr

(but not vice-versa). Connections to Temporal Logics On finite labeled transition graphs deciding,, is polynomial. For image-finite graphs is the equivalence induced by branching-time logics. For every branching-time temporal logic L with (e.g., L = CTL) we have Hennessy-Milner Logic L action-based µ-calculus X Y iff X,Y cannot be distinguished in L Every finite labeled transition graph can be described up-to (strong and weak) bisimulation equivalence in the temporal logic EF (a fragment of CTL) [Jančar, Kučera, Mayr]. Verification of Infinite-State Systems 16 c 2004 Richard Mayr

General Trends 1. On infinite-state systems, weak equivalences are computationally harder than strong ones. 2. Simulation is computationally harder than bisimulation on almost all natural classes of systems. Verification of Infinite-State Systems 17 c 2004 Richard Mayr

Decidability Results Stronger and stronger positive decidability results for strong bisimulation: Strong bisimilarity decidable for 1-counter machines [Jančar]. Strong bisimilarity decidable for normed pushdown automata [Stirling]. Strong bisimilarity decidable for general pushdown automata [Sénizergues]. Stronger and stronger negative decidability results for weak bisimulation: Weak bisimilarity undecidable for general pushdown automata [Srba]. Weak bisimilarity undecidable for normed pushdown automata [Srba]. Weak bisimilarity undecidable for normed 1-counter machines; even for normed 1-counter nets (Petri nets with only 1 unbounded place) [Mayr]. Verification of Infinite-State Systems 18 c 2004 Richard Mayr

Simulation vs. Bisimulation Complexity Simulation Bisimulation normed PA-normed PA undecidable decidable PDA-PDA undecidable decidable, EXPTIME-hard PDA-FS EXPTIME-complete PSPACE-complete BPA-FS EXPTIME-complete polynomial Verification of Infinite-State Systems 19 c 2004 Richard Mayr

Why is simulation harder than bisimulation? One can reduce bisimulation checking to simulation checking (in polynomial time) for any finitely generated class of transition systems that satisfies one of these properties [Kučera, Mayr, 2002]. The systems can test for non-enabledness of actions (e.g., test for zero). Satisfied, e.g., for pushdown automata. The class is closed under parallel composition of processes and synchronization (over the atomic actions). Satisfied, e.g., for Petri nets. Most classes of systems satisfy one of these requirements. checking must be at least as hard as bisimulation checking. Thus, simulation Verification of Infinite-State Systems 20 c 2004 Richard Mayr

Bisim. Sim.: Method 1 Given two labeled transition graphs S and T. Construct modified transition graphs S and T with the property: S T S T How? Encode the bisimulation game between S and T in a simulation game between S and T. Remark: One can easily reduce simulation preorder to simulation equivalence. Given systems S, T. Define S, T by S a S, S a T, T a T. Then S T S T Verification of Infinite-State Systems 21 c 2004 Richard Mayr

The Power of the Defender in Simulation Games How can the defender in the simulation game force the attacker to something? He threatens to become universal, i.e, to go to a universal state. (At a universal state every action is enabled and stays enabled forever, i.e., Act true.) a a,b,c c a a b a,b,c b c b c Verification of Infinite-State Systems 22 c 2004 Richard Mayr

The Power of the Defender in Bisimulation Games How can the defender in the bisim. game force the attacker to do something? He threatens to make the two processes equal. A technique by Jančar, Srba. (Here slightly improved): X X a a a a a Y 1 2 2 Y 1 Y 2 1 1 2 Z.1 Z.2 Z.1 Z.2 Verification of Infinite-State Systems 23 c 2004 Richard Mayr

Bisim. Game Sim. Game 1. Case (simple): If in the bisimulation game between S and T the attacker moves on the left side, i.e., S a S i, then the defender moves on the right side T a T j. Directly encoded in the simulation game between S and T. In simulation games the attacker always moves on the left side. One round of the bisimulation game encoded in one round of the simulation game. Verification of Infinite-State Systems 24 c 2004 Richard Mayr

Bisim. Game Sim. Game (cont.) 2. Case (more complex): Assume that in the bisimulation game between S and T the attacker moves on the right side, i.e., T a T i and the defender responds by S a S j. Encoding in the simulation game: Attacker moves S a i Ŝ (chooses i, demands move to T i on right side) Defender responds T a i T i,j (encodes i, chooses j) Attacker moves Ŝ a j S j (must make this move; otherwise defender wins) a j Defender moves T i,j T i c (All other moves lead to a universal state, T i,j U for all c aj.) One round of the bisimulation game encoded in two rounds of the simulation game. Verification of Infinite-State Systems 25 c 2004 Richard Mayr

Requirements for the Construction 1. Problem: The attacker (moving on the left side in S) cannot know which actions are currently enabled on the right side (in T ). What happens if the attacker demands something impossible, i.e., a move in T that is not enabled? The defender notices this and goes to a universal state (and thus wins the game). This response must be possible only if the required move is really not enabled. Analogously, if the defender demands an impossible move on the attacker s side, then the attacker can win by performing a special action. Conclusion: A test for enabledness of actions is required. pushdown automata, but not for Petri nets. Possible, e.g., for Verification of Infinite-State Systems 26 c 2004 Richard Mayr

Formal Def. of Construction 1. Given two labeled transition graphs S and T (with initial states s 0, t 0 ). Define new systems S := Attacker-extension(S) T := Defender-extension(T ) with initial states s 0, t 0. and obtain S T S T Verification of Infinite-State Systems 27 c 2004 Richard Mayr

i r[a i, j, 1] r[a i, j, d] λ j i a i s t δ 1 i δ d i a 1 a k a 1 a k a1 a k a 1 a k s(a 1, 1) s(a 1, n 1 ) s(a k, 1) s(a k, n k ) t(a 1, 1) t(a 1, m 1 ) t(a k, 1) t(a k, m k ) t(a i, j) t(a i, j) succ(s, a 1 ) succ(s, a k ) succ(t, a 1 ) succ(t, a k ) Λ s Θ t γ Act a 1 δ 1 1 δ n 1 1 a 1 a k δ 1 k a k δ n k k s(a 1, 1) s(a 1, n 1 ) s(a k, 1) s(a k, n k ) λ j i λ j i r[a i, j, 1] r[a i, j, d] δ d i a i t(a i, j) δ 1 i t(a i, j) succ(s, a 1 ) succ(s, a k ) Act {δ 1 i } Act {δ d i } Act Act Verification of Infinite-State Systems 28 c 2004 Richard Mayr

Bisim. Sim.: Method 2 Given two labeled transition graphs S and T. Construct new transition graphs S := A comp(s, T ) and T := D comp(s, T ) with the property: S T S T Roughly speaking A comp(s, T ) := S T D comp(s, T ) := modified-sync.(s, T ) One round in the bisimulation game between S and T is emulated by two rounds in the simulation game between S and T. Intuition: Both S and T contain copies of both S and T. They always know which moves are possible in S and T. The construction enforces that these copies are kept consistent. Verification of Infinite-State Systems 29 c 2004 Richard Mayr

Bisim. Sim.: Method 2 (cont.) One round in the bisimulation game between S amd T : Attacker moves S a S i Defender replies T a T j This is emulated in two rounds in the simulation game between S and T. Attacker moves S = A comp(s, T ) x i A comp(s i, T ) Defender replies T = D comp(s, T ) x i D comp(s i, ˆT j ) Attacker moves A comp(s i, T ) x j A comp(s i, T j ) Defender replies D comp(s i, ˆT j ) x j D comp(s i, T j ) Conclusion: No test for enabledness of actions required, but parallel comp. and sync. are needed. Works, e.g., for Petri nets and subclasses, but not for PDA. Verification of Infinite-State Systems 30 c 2004 Richard Mayr

s t s(a a 1, 1) 1 s(a 1, n a 1) k s(a s(a 1, 1) lacements k, 1) s(a s(a 1, n k, 1) k ) s(a t(a k, 1) 1, 1) s s(a t(a k, n 1, m k ) t 1) t(a t(a 1, a1) k, 1) 1 t(a t(a 1, ma k, 1) k s(a k ) t(a k 1,, 1) t(a s(a k 1,, mn k 1) ) s(a k, 1) s(a k, n k ) t(a 1, 1) t(a δ1 1 1, m 1) δ n 1 t(a 1 k, 1) t(a δk 1 k, m k ) δ n k k s Formally: Method 2 a 1 a k a 1 a k a 1 a k a 1 a k s λ 1 1 s(a 1, 1) λ m 1t s(a 1, n 1) s(a 1, 11) s(a k, 1) s(a k, n k ) t(a 1, 1) t(a 1, m 1) t(a k, 1) t(a k, m k ) s(a λ 1 1, n 1) k λ m k s(a k k, 1) succ(s, a 1) succ(s, a k ) succ(t, a 1) succ(t, a k ) s(a k, n k ) t(a 1, 1) s t t(a 1, m 1) t(a k, 1) t(a k, m k ) ucc(s, a 1) δ1 1 δ n 1 1 δk 1 δ n k k λ 1 1 λ m 1 ucc(s, a 1 k ) λ 1 k λ m k k ucc(t, a 1) s(a 1, 1) s(a 1, n 1) s(a k, 1) s(a k, n k ) t(a 1, 1) t(a 1, m 1) t(a k, 1) t(a k, m k ) ucc(t, a k ) δ 1 1 δ n 1 1 δ 1 k δ n k k λ 1 1 λ m 1 1 λ 1 k λ m k k succ(s, a 1) succ(s, a k ) succ(t, a 1) succ(t, a k ) (s(a i, 1), t(a i, l)) δ 1 i (s(a i, n i), t(a i, l)) δ n i i (s(a i, 1), t(a i, l)) (s(a i, n i), t(a i, l)) t Act Act {δ 1 i } Act {δ n i i } Act λ l i λ l i (s, t) δ j i δ j i Act Act {λ 1 i } Act {λ m i i } (s(a i, j), t(a i, 1)) (s(a i, j), t(a i, m i)) Act λ 1 i λ m i i (s(a i, j), t(a i, 1)) (s(a i, j), t(a i, m i)) Fig. 2. States s and t of S and T, then the A-composition of S and T, and finally the D-composition of S and T. Verification of Infinite-State Systems 31 c 2004 Richard Mayr

Applied Verification Development of the practical tool IBOC (Incomplete Boundedness Checker). Analyzes systems described in UML RT and PROMELA. Solves questions for systems with asynchronous communication via buffers. Can one get a buffer overflow? Are the reachable buffer lengths bounded? If yes, then by what constant? Automatic incomplete boundedness check for communication buffers between capsules/processes, without exploring the state space. Gives answers YES or NOT PROVEN hints for abstraction refinement. Works by static analysis, without exploring the reachable state-space. Can derive upper bounds on reachable communication buffer content lengths in most cases. Verification of Infinite-State Systems 32 c 2004 Richard Mayr

Applied Verification (cont.) Technique 1: Abstract interpretation and overapproximation. Abstraction preserves Simulation preorder. Upper bounds on reachable channel contents. Technique 2: Static analysis for tracking ranges of crucial variables. Analyzing possible combinations of the effects of cycles in the control-flow graph. Linear programming. Scalable: Works in polynomial time on average-case UML RT/PROMELA models. (Exponential in the worst case). Approach can be generalized to related problems, e.g., memory allocation (memory leaks!), dynamic process creation/destruction, etc. Verification of Infinite-State Systems 33 c 2004 Richard Mayr

Case study: UML RT PBX Private Branch Exchange, a telephone switching system. System defined in UML RT 29 capsules 736 control states 57 communication buffers 308 different message types 10 40 control-state combinations alone, not even counting buffer contents. Run times of the IBOC-tool (on 1 GHz Pentium III): 30 seconds to prove boundedness of the whole system. 1 minute to compute upper bounds on the lengths of all 57 communication buffers. Paper to appear in TACAS 2004. Verification of Infinite-State Systems 34 c 2004 Richard Mayr

Case Study: PROMELA CORBA General Inter-ORB Protocol (GIOP). System model defined in PROMELA. 5 processes 135 control states 11 communication channels 108 different message types IBOC proved that there are only two causes of unboundedness: Flooding by user requests. Unboundedly many register messages for object migrations. If these two causes are removed then IBOC proves boundedness and computes upper bounds in about 10 seconds (on 1 GHz Pentium III). Paper to appear in SPIN 2004. Verification of Infinite-State Systems 35 c 2004 Richard Mayr

Conclusion Automated verification of infinite-state systems is harder than for finite-state ones, but feasible. It requires careful analysis of the problem complexities in all input parameters, and the combination of many techniques, e.g., Abstraction Semantic equivalences State-space reduction techniques Symbolic representation of infinite sets and relations Over- and under-approximation Acceleration Verification of Infinite-State Systems 36 c 2004 Richard Mayr

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback